Ruleset Update Summary - 2025/04/17 - v10908

rulesbot · April 17, 2025, 9:02pm

Summary:

174 new OPEN, 181 new PRO (174 + 7)

Added rules:

Open:

2018372 - ET RETIRED Malformed HeartBeat Request (retired.rules)
2018373 - ET RETIRED Malformed HeartBeat Response (retired.rules)
2018374 - ET RETIRED Malformed HeartBeat Request method 2 (retired.rules)
2036985 - ET RETIRED Observed DNS Query to Maldoc Domain (webnar .info) (retired.rules)
2037107 - ET RETIRED Win32/Delf.TJJ CnC Checkin M1 (retired.rules)
2037108 - ET RETIRED Win32/Delf.TJJ CnC Checkin M2 (retired.rules)
2037111 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (dsk .5636 .com) (retired.rules)
2037112 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (wx .go890 .com) (retired.rules)
2037113 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (cfg .jipinwan .com) (retired.rules)
2037114 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (bk .957wan .com) (retired.rules)
2037115 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (www .58sky .com) (retired.rules)
2037116 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (cnwx .58ad .cn) (retired.rules)
2037117 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (gc .wb51 .com) (retired.rules)
2037118 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (cmps .58sky .com) (retired.rules)
2037143 - ET RETIRED ZuoRAT CBeacon CnC (retired.rules)
2037741 - ET RETIRED AlphabetSoup Adware Extension CnC Checkin (retired.rules)
2038900 - ET RETIRED Win32/Agent.XXZ Checkin (retired.rules)
2038901 - ET RETIRED Win32/Covagent Checkin (retired.rules)
2039778 - ET RETIRED GO/Titan Stealer Data Exfiltration Attempt (retired.rules)
2043198 - ET RETIRED Win32/Aurora Stealer WORK Command (retired.rules)
2043199 - ET RETIRED Win32/Aurora Stealer Accept Command (retired.rules)
2043200 - ET RETIRED Win32/Aurora Stealer Thanks Command (retired.rules)
2045222 - ET RETIRED TA453 Modified IIS-Raid Backdoor Module Headers in HTTP Request (retired.rules)
2045223 - ET RETIRED TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request (retired.rules)
2045224 - ET RETIRED TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request (retired.rules)
2045225 - ET RETIRED IIS-Raid Module Backdoor Default Headers in HTTP Request (retired.rules)
2045226 - ET RETIRED IIS-Raid Module Backdoor Ping in HTTP Request (retired.rules)
2045298 - ET RETIRED Truebot/Silence.Downloader No Tasking Response from Server (retired.rules)
2045299 - ET RETIRED TrueBot/Silence.Downloader CnC Checkin 4 (retired.rules)
2046259 - ET RETIRED Kimsuky ReconShark Related APT Activity (retired.rules)
2046729 - ET RETIRED [ANY.RUN] Remcos RAT Checkin 861 (retired.rules)
2046730 - ET RETIRED GobRAT CnC Domain in DNS Lookup (ktlvz .dnsfailover .net) (retired.rules)
2046731 - ET RETIRED GobRAT CnC Domain in DNS Lookup (wpksi .mefound .com) (retired.rules)
2046732 - ET RETIRED GobRAT CnC Domain in DNS Lookup (su .vealcat .com) (retired.rules)
2046733 - ET RETIRED Observed GobRAT Domain (ktlvz .dnsfailover .net) in TLS SNI (retired.rules)
2046734 - ET RETIRED Observed GobRAT Domain (wpksi .mefound .com) in TLS SNI (retired.rules)
2046735 - ET RETIRED Observed GobRAT Domain (su .vealcat .com) in TLS SNI (retired.rules)
2046881 - ET RETIRED Suspected Andariel RexPot CnC Checkin M1 (retired.rules)
2046882 - ET RETIRED Suspected Andariel RexPot CnC Checkin M2 (retired.rules)
2047004 - ET RETIRED Win32/OriginLoader CnC Checkin (retired.rules)
2047005 - ET RETIRED MacOS/Realst CnC Checkin (retired.rules)
2047616 - ET RETIRED MacOS/RustBucket System Information Exfiltration Attempt (retired.rules)
2047638 - ET RETIRED APT29 CnC Domain in DNS Lookup (sgrhf .org .pk) (retired.rules)
2047639 - ET RETIRED APT29 CnC Domain in DNS Lookup (toyy .zulipchat .com) (retired.rules)
2047640 - ET RETIRED APT29 CnC Domain in DNS Lookup (edenparkweddings .com) (retired.rules)
2047641 - ET RETIRED Observed APT29 Domain (sgrhf .org .pk) in TLS SNI (retired.rules)
2047642 - ET RETIRED Observed APT29 Domain (toyy .zulipchat .com) in TLS SNI (retired.rules)
2047643 - ET RETIRED Observed APT29 Domain (edenparkweddings .com) in TLS SNI (retired.rules)
2047751 - ET RETIRED Suspected Adware/AccessMembre Domain in DNS Lookup (iconm1 .com) (retired.rules)
2047959 - ET RETIRED Red Wolf/RedCurl Payload Retrieval Attempt M5 (retired.rules)
2047960 - ET RETIRED Red Wolf/RedCurl Payload Retrieval Attempt M6 (retired.rules)
2047961 - ET RETIRED Red Wolf/RedCurl Implant Checkin (retired.rules)
2048084 - ET RETIRED Android/MMRAT Data Exfiltration Attempt (retired.rules)
2048104 - ET RETIRED Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (retired.rules)
2048105 - ET RETIRED Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (retired.rules)
2048118 - ET RETIRED Earth Lusca/SprySOCKS CnC Checkin (retired.rules)
2048397 - ET RETIRED BunnyLoader - Initial CnC Checkin (retired.rules)
2048399 - ET RETIRED BunnyLoader CnC Checkin - Retrieve Tasking (retired.rules)
2048400 - ET RETIRED BunnyLoader CnC Tasking Response (retired.rules)
2048401 - ET RETIRED BunnyLoader CnC Checkin - Echoer (retired.rules)
2048402 - ET RETIRED BunnyLoader CnC Checkin - Heartbeat (retired.rules)
2048404 - ET RETIRED BunnyLoader CnC Checkin - ResultCMD (retired.rules)
2048405 - ET RETIRED BunnyLoader Data Exfiltration Attempt (retired.rules)
2049140 - ET RETIRED Win32/Fewin Stealer Data Exfiltration Attempt (retired.rules)
2049152 - ET RETIRED Win32/Unknown RAT CnC Checkin (retired.rules)
2049794 - ET RETIRED Possible KV Botnet CnC Checkin (retired.rules)
2049813 - ET RETIRED Win32/Koi Loader CnC Checkin M1 (retired.rules)
2049814 - ET RETIRED Win32/Koi Loader CnC Checkin M2 (retired.rules)
2049815 - ET RETIRED Win32/Koi Loader CnC Checkin M3 (retired.rules)
2049816 - ET RETIRED Win32/Koi Stealer CnC Checkin (POST) M1 (retired.rules)
2050236 - ET RETIRED Trojanized Software Download Domain in DNS Lookup (macyy .cn) (retired.rules)
2050237 - ET RETIRED Khepri CnC Domain in DNS Lookup (securecrt .cc) (retired.rules)
2050238 - ET RETIRED Khepri CnC Domain in DNS Lookup (ultraedit .info) (retired.rules)
2050239 - ET RETIRED Khepri CnC Domain in DNS Lookup (securecrt .vip) (retired.rules)
2050240 - ET RETIRED Khepri CnC Domain in DNS Lookup (rdesktophub .com) (retired.rules)
2050241 - ET RETIRED Khepri CnC Domain in DNS Lookup (macnavicat .com) (retired.rules)
2050242 - ET RETIRED Khepri CnC Domain in DNS Lookup (vscode .digital) (retired.rules)
2050243 - ET RETIRED Khepri CnC Domain in DNS Lookup (ultraedit .vip) (retired.rules)
2050244 - ET RETIRED Khepri CnC Domain in DNS Lookup (finallshell .cc) (retired.rules)
2050245 - ET RETIRED Khepri CnC Domain in DNS Lookup (finalshell .me) (retired.rules)
2050246 - ET RETIRED Khepri CnC Domain in DNS Lookup (rdesktopconnect .com) (retired.rules)
2050247 - ET RETIRED Khepri CnC Domain in DNS Lookup (xmindcn .cc) (retired.rules)
2050248 - ET RETIRED Suspicious Request for bd.log (retired.rules)
2050249 - ET RETIRED Suspicious Request for fs.log (retired.rules)
2050279 - ET RETIRED [ANY.RUN] ZharkBOT HTTP CnC Checkin (retired.rules)
2061639 - ET EXPLOIT_KIT Fake Captcha Domain (analytiwave .com) in DNS Lookup (exploit_kit.rules)
2061640 - ET EXPLOIT_KIT Fake Captcha Domain (sharecloudes .com) in DNS Lookup (exploit_kit.rules)
2061641 - ET EXPLOIT_KIT Fake Captcha Domain (goclouder .com) in DNS Lookup (exploit_kit.rules)
2061642 - ET EXPLOIT_KIT Fake Captcha Domain (goclouder .net) in DNS Lookup (exploit_kit.rules)
2061643 - ET EXPLOIT_KIT Fake Captcha Domain (stat .bundlehulu .com) in DNS Lookup (exploit_kit.rules)
2061644 - ET EXPLOIT_KIT Fake Captcha Domain (gocloudes .com) in DNS Lookup (exploit_kit.rules)
2061645 - ET EXPLOIT_KIT Fake Captcha Domain (analytido .com) in DNS Lookup (exploit_kit.rules)
2061646 - ET EXPLOIT_KIT Observed Fake Captcha Domain (analytiwave .com) in TLS SNI (exploit_kit.rules)
2061647 - ET EXPLOIT_KIT Observed Fake Captcha Domain (sharecloudes .com) in TLS SNI (exploit_kit.rules)
2061648 - ET EXPLOIT_KIT Observed Fake Captcha Domain (goclouder .com) in TLS SNI (exploit_kit.rules)
2061649 - ET EXPLOIT_KIT Observed Fake Captcha Domain (goclouder .net) in TLS SNI (exploit_kit.rules)
2061650 - ET EXPLOIT_KIT Observed Fake Captcha Domain (stat .bundlehulu .com) in TLS SNI (exploit_kit.rules)
2061651 - ET EXPLOIT_KIT Observed Fake Captcha Domain (gocloudes .com) in TLS SNI (exploit_kit.rules)
2061652 - ET EXPLOIT_KIT Observed Fake Captcha Domain (analytido .com) in TLS SNI (exploit_kit.rules)
2061653 - ET EXPLOIT_KIT Fake Captcha Domain (security .flargyard .com) in DNS Lookup (exploit_kit.rules)
2061654 - ET EXPLOIT_KIT Fake Captcha Domain (ubiosut .com) in DNS Lookup (exploit_kit.rules)
2061655 - ET EXPLOIT_KIT Fake Captcha Domain (ubiosut .info) in DNS Lookup (exploit_kit.rules)
2061656 - ET EXPLOIT_KIT Fake Captcha Domain (lomerhs .com) in DNS Lookup (exploit_kit.rules)
2061657 - ET EXPLOIT_KIT Fake Captcha Domain (security .clodufgard .com) in DNS Lookup (exploit_kit.rules)
2061658 - ET EXPLOIT_KIT Fake Captcha Domain (folherc .org) in DNS Lookup (exploit_kit.rules)
2061659 - ET EXPLOIT_KIT Fake Captcha Domain (lomerhs .info) in DNS Lookup (exploit_kit.rules)
2061660 - ET EXPLOIT_KIT Fake Captcha Domain (xoebty .info) in DNS Lookup (exploit_kit.rules)
2061661 - ET EXPLOIT_KIT Fake Captcha Domain (amoliera .org) in DNS Lookup (exploit_kit.rules)
2061662 - ET EXPLOIT_KIT Fake Captcha Domain (unazer .com) in DNS Lookup (exploit_kit.rules)
2061663 - ET EXPLOIT_KIT Fake Captcha Domain (xoebty .org) in DNS Lookup (exploit_kit.rules)
2061664 - ET EXPLOIT_KIT Fake Captcha Domain (security .cloydgvarde .com) in DNS Lookup (exploit_kit.rules)
2061665 - ET EXPLOIT_KIT Fake Captcha Domain (security .clodufshield .com) in DNS Lookup (exploit_kit.rules)
2061666 - ET EXPLOIT_KIT Fake Captcha Domain (daoeidk .org) in DNS Lookup (exploit_kit.rules)
2061667 - ET EXPLOIT_KIT Fake Captcha Domain (folherc .com) in DNS Lookup (exploit_kit.rules)
2061668 - ET EXPLOIT_KIT Fake Captcha Domain (anerolki .info) in DNS Lookup (exploit_kit.rules)
2061669 - ET EXPLOIT_KIT Fake Captcha Domain (amoliera .com) in DNS Lookup (exploit_kit.rules)
2061670 - ET EXPLOIT_KIT Fake Captcha Domain (daoeidk .info) in DNS Lookup (exploit_kit.rules)
2061671 - ET EXPLOIT_KIT Fake Captcha Domain (unazer .org) in DNS Lookup (exploit_kit.rules)
2061672 - ET EXPLOIT_KIT Fake Captcha Domain (folherc .info) in DNS Lookup (exploit_kit.rules)
2061673 - ET EXPLOIT_KIT Fake Captcha Domain (anerolki .org) in DNS Lookup (exploit_kit.rules)
2061674 - ET EXPLOIT_KIT Fake Captcha Domain (security .flaiegaurd .com) in DNS Lookup (exploit_kit.rules)
2061675 - ET EXPLOIT_KIT Fake Captcha Domain (security .closecufre .com) in DNS Lookup (exploit_kit.rules)
2061676 - ET EXPLOIT_KIT Fake Captcha Domain (cesiabs .org) in DNS Lookup (exploit_kit.rules)
2061677 - ET EXPLOIT_KIT Fake Captcha Domain (jehvkc .info) in DNS Lookup (exploit_kit.rules)
2061678 - ET EXPLOIT_KIT Fake Captcha Domain (security .secuclauf .com) in DNS Lookup (exploit_kit.rules)
2061679 - ET EXPLOIT_KIT Fake Captcha Domain (xoebty .com) in DNS Lookup (exploit_kit.rules)
2061680 - ET EXPLOIT_KIT Fake Captcha Domain (broadsage .net) in DNS Lookup (exploit_kit.rules)
2061681 - ET EXPLOIT_KIT Fake Captcha Domain (njolekaz .com) in DNS Lookup (exploit_kit.rules)
2061682 - ET EXPLOIT_KIT Fake Captcha Domain (security .colkudflare .com) in DNS Lookup (exploit_kit.rules)
2061683 - ET EXPLOIT_KIT Fake Captcha Domain (jehvkc .com) in DNS Lookup (exploit_kit.rules)
2061684 - ET EXPLOIT_KIT Fake Captcha Domain (lomerhs .org) in DNS Lookup (exploit_kit.rules)
2061685 - ET EXPLOIT_KIT Fake Captcha Domain (broadsage .com) in DNS Lookup (exploit_kit.rules)
2061686 - ET EXPLOIT_KIT Fake Captcha Domain (cesiabs .info) in DNS Lookup (exploit_kit.rules)
2061687 - ET EXPLOIT_KIT Fake Captcha Domain (unazer .info) in DNS Lookup (exploit_kit.rules)
2061688 - ET EXPLOIT_KIT Fake Captcha Domain (njolekaz .info) in DNS Lookup (exploit_kit.rules)
2061689 - ET EXPLOIT_KIT Fake Captcha Domain (ubiosut .org) in DNS Lookup (exploit_kit.rules)
2061690 - ET EXPLOIT_KIT Fake Captcha Domain (daoeidk .com) in DNS Lookup (exploit_kit.rules)
2061691 - ET EXPLOIT_KIT Fake Captcha Domain (broadsage .org) in DNS Lookup (exploit_kit.rules)
2061692 - ET EXPLOIT_KIT Fake Captcha Domain (anerolki .com) in DNS Lookup (exploit_kit.rules)
2061693 - ET EXPLOIT_KIT Fake Captcha Domain (cesiabs .com) in DNS Lookup (exploit_kit.rules)
2061694 - ET EXPLOIT_KIT Fake Captcha Domain (jehvkc .org) in DNS Lookup (exploit_kit.rules)
2061695 - ET EXPLOIT_KIT Fake Captcha Domain (njolekaz .org) in DNS Lookup (exploit_kit.rules)
2061696 - ET EXPLOIT_KIT Fake Captcha Domain (amoliera .info) in DNS Lookup (exploit_kit.rules)
2061697 - ET INFO DYNAMIC_DNS Query to a *.budjettravel .net domain (info.rules)
2061698 - ET INFO DYNAMIC_DNS HTTP Request to a *.budjettravel .net domain (info.rules)
2061699 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agroeconb .live) (malware.rules)
2061700 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (agroeconb .live) in TLS SNI (malware.rules)
2061701 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ecoexpanpd .live) (malware.rules)
2061702 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ecoexpanpd .live) in TLS SNI (malware.rules)
2061703 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (econusi .digital) (malware.rules)
2061704 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (econusi .digital) in TLS SNI (malware.rules)
2061705 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (franecont .run) (malware.rules)
2061706 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (franecont .run) in TLS SNI (malware.rules)
2061707 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (qinspiringecho .rest) (malware.rules)
2061708 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (qinspiringecho .rest) in TLS SNI (malware.rules)
2061709 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rainyreplacwv .site) (malware.rules)
2061710 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rainyreplacwv .site) in TLS SNI (malware.rules)
2061711 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thundercoall .live) (malware.rules)
2061712 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thundercoall .live) in TLS SNI (malware.rules)
2061713 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (piratetwrath .run) (malware.rules)
2061714 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (piratetwrath .run in TLS SNI) (malware.rules)
2061715 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quilltayle .live) (malware.rules)
2061716 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quilltayle .live in TLS SNI) (malware.rules)
2061717 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starofliught .top) (malware.rules)
2061718 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (starofliught .top in TLS SNI) (malware.rules)
2061719 - ET MALWARE CHStealer getshortinfo Command CnC Checkin (malware.rules)
2061720 - ET MALWARE CHStealer checkping Command CnC Checkin (malware.rules)
2061721 - ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034) (web_server.rules)
2061722 - ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles RAC_DOWNLOAD_TAR Method Arbitrary File Deletion (web_server.rules)
2061723 - ET HUNTING Powershell Script Inbound Which Downloads C++ Compiler (Used by Stagers) (hunting.rules)
2061724 - ET WEB_SERVER SonicWall SMA Post-Auth Python Management API Remote Code Execution (CVE-2021-20044) (web_server.rules)
2061725 - ET WEB_SERVER SonicWall SMA Pre-Auth Stored Cross-Site Scripting (web_server.rules)
2061726 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .purepassionwellness .com) (malware.rules)
2061727 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .purepassionwellness .com) (malware.rules)

Pro:

2852666 - ETPRO RETIRED Observed SSL Cert (anysrc .net) (retired.rules)
2853036 - ETPRO RETIRED Security Awareness Campaign Domain in DNS Lookup (retired.rules)
2855905 - ETPRO RETIRED Win32/Apocalypse RAT CnC Checkin (checkcmd) (retired.rules)
2855906 - ETPRO RETIRED Win32/Apocalypse RAT CnC Checkin (checkcmd) - Acknowledgement (retired.rules)
2861182 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2861183 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2861184 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Removed rules:

2018372 - ET EXPLOIT Malformed HeartBeat Request (exploit.rules)
2018373 - ET EXPLOIT Malformed HeartBeat Response (exploit.rules)
2018374 - ET EXPLOIT Malformed HeartBeat Request method 2 (exploit.rules)
2036985 - ET MALWARE Observed DNS Query to Maldoc Domain (webnar .info) (malware.rules)
2037107 - ET MALWARE Win32/Delf.TJJ CnC Checkin M1 (malware.rules)
2037108 - ET MALWARE Win32/Delf.TJJ CnC Checkin M2 (malware.rules)
2037111 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (dsk .5636 .com) (malware.rules)
2037112 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (wx .go890 .com) (malware.rules)
2037113 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cfg .jipinwan .com) (malware.rules)
2037114 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (bk .957wan .com) (malware.rules)
2037115 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (www .58sky .com) (malware.rules)
2037116 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cnwx .58ad .cn) (malware.rules)
2037117 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (gc .wb51 .com) (malware.rules)
2037118 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cmps .58sky .com) (malware.rules)
2037143 - ET MALWARE ZuoRAT CBeacon CnC (malware.rules)
2037741 - ET ADWARE_PUP AlphabetSoup Adware Extension CnC Checkin (adware_pup.rules)
2038900 - ET MALWARE Win32/Agent.XXZ Checkin (malware.rules)
2038901 - ET MALWARE Win32/Covagent Checkin (malware.rules)
2039778 - ET MALWARE GO/Titan Stealer Data Exfiltration Attempt (malware.rules)
2043198 - ET MALWARE Win32/Aurora Stealer WORK Command (malware.rules)
2043199 - ET MALWARE Win32/Aurora Stealer Accept Command (malware.rules)
2043200 - ET MALWARE Win32/Aurora Stealer Thanks Command (malware.rules)
2045222 - ET MALWARE TA453 Modified IIS-Raid Backdoor Module Headers in HTTP Request (malware.rules)
2045223 - ET MALWARE TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request (malware.rules)
2045224 - ET MALWARE TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request (malware.rules)
2045225 - ET MALWARE IIS-Raid Module Backdoor Default Headers in HTTP Request (malware.rules)
2045226 - ET MALWARE IIS-Raid Module Backdoor Ping in HTTP Request (malware.rules)
2045298 - ET MALWARE Truebot/Silence.Downloader No Tasking Response from Server (malware.rules)
2045299 - ET MALWARE TrueBot/Silence.Downloader CnC Checkin 4 (malware.rules)
2046259 - ET MALWARE Kimsuky ReconShark Related APT Activity (malware.rules)
2046729 - ET MALWARE [ANY.RUN] Remcos RAT Checkin 861 (malware.rules)
2046730 - ET MALWARE GobRAT CnC Domain in DNS Lookup (ktlvz .dnsfailover .net) (malware.rules)
2046731 - ET MALWARE GobRAT CnC Domain in DNS Lookup (wpksi .mefound .com) (malware.rules)
2046732 - ET MALWARE GobRAT CnC Domain in DNS Lookup (su .vealcat .com) (malware.rules)
2046733 - ET MALWARE Observed GobRAT Domain (ktlvz .dnsfailover .net) in TLS SNI (malware.rules)
2046734 - ET MALWARE Observed GobRAT Domain (wpksi .mefound .com) in TLS SNI (malware.rules)
2046735 - ET MALWARE Observed GobRAT Domain (su .vealcat .com) in TLS SNI (malware.rules)
2046881 - ET MALWARE Suspected Andariel RexPot CnC Checkin M1 (malware.rules)
2046882 - ET MALWARE Suspected Andariel RexPot CnC Checkin M2 (malware.rules)
2047004 - ET MALWARE Win32/OriginLoader CnC Checkin (malware.rules)
2047005 - ET MALWARE MacOS/Realst CnC Checkin (malware.rules)
2047616 - ET MALWARE MacOS/RustBucket System Information Exfiltration Attempt (malware.rules)
2047638 - ET MALWARE APT29 CnC Domain in DNS Lookup (sgrhf .org .pk) (malware.rules)
2047639 - ET MALWARE APT29 CnC Domain in DNS Lookup (toyy .zulipchat .com) (malware.rules)
2047640 - ET MALWARE APT29 CnC Domain in DNS Lookup (edenparkweddings .com) (malware.rules)
2047641 - ET MALWARE Observed APT29 Domain (sgrhf .org .pk) in TLS SNI (malware.rules)
2047642 - ET MALWARE Observed APT29 Domain (toyy .zulipchat .com) in TLS SNI (malware.rules)
2047643 - ET MALWARE Observed APT29 Domain (edenparkweddings .com) in TLS SNI (malware.rules)
2047751 - ET ADWARE_PUP Suspected Adware/AccessMembre Domain in DNS Lookup (iconm1 .com) (adware_pup.rules)
2047959 - ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M5 (malware.rules)
2047960 - ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M6 (malware.rules)
2047961 - ET MALWARE Red Wolf/RedCurl Implant Checkin (malware.rules)
2048084 - ET MOBILE_MALWARE Android/MMRAT Data Exfiltration Attempt (mobile_malware.rules)
2048104 - ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (malware.rules)
2048105 - ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (malware.rules)
2048118 - ET MALWARE Earth Lusca/SprySOCKS CnC Checkin (malware.rules)
2048397 - ET MALWARE BunnyLoader - Initial CnC Checkin (malware.rules)
2048399 - ET MALWARE BunnyLoader CnC Checkin - Retrieve Tasking (malware.rules)
2048400 - ET MALWARE BunnyLoader CnC Tasking Response (malware.rules)
2048401 - ET MALWARE BunnyLoader CnC Checkin - Echoer (malware.rules)
2048402 - ET MALWARE BunnyLoader CnC Checkin - Heartbeat (malware.rules)
2048404 - ET MALWARE BunnyLoader CnC Checkin - ResultCMD (malware.rules)
2048405 - ET MALWARE BunnyLoader Data Exfiltration Attempt (malware.rules)
2049140 - ET MALWARE Win32/Fewin Stealer Data Exfiltration Attempt (malware.rules)
2049152 - ET MALWARE Win32/Unknown RAT CnC Checkin (malware.rules)
2049794 - ET MALWARE Possible KV Botnet CnC Checkin (malware.rules)
2049813 - ET MALWARE Win32/Koi Loader CnC Checkin M1 (malware.rules)
2049814 - ET MALWARE Win32/Koi Loader CnC Checkin M2 (malware.rules)
2049815 - ET MALWARE Win32/Koi Loader CnC Checkin M3 (malware.rules)
2049816 - ET MALWARE Win32/Koi Stealer CnC Checkin (POST) M1 (malware.rules)
2050236 - ET MALWARE Trojanized Software Download Domain in DNS Lookup (macyy .cn) (malware.rules)
2050237 - ET MALWARE Khepri CnC Domain in DNS Lookup (securecrt .cc) (malware.rules)
2050238 - ET MALWARE Khepri CnC Domain in DNS Lookup (ultraedit .info) (malware.rules)
2050239 - ET MALWARE Khepri CnC Domain in DNS Lookup (securecrt .vip) (malware.rules)
2050240 - ET MALWARE Khepri CnC Domain in DNS Lookup (rdesktophub .com) (malware.rules)
2050241 - ET MALWARE Khepri CnC Domain in DNS Lookup (macnavicat .com) (malware.rules)
2050242 - ET MALWARE Khepri CnC Domain in DNS Lookup (vscode .digital) (malware.rules)
2050243 - ET MALWARE Khepri CnC Domain in DNS Lookup (ultraedit .vip) (malware.rules)
2050244 - ET MALWARE Khepri CnC Domain in DNS Lookup (finallshell .cc) (malware.rules)
2050245 - ET MALWARE Khepri CnC Domain in DNS Lookup (finalshell .me) (malware.rules)
2050246 - ET MALWARE Khepri CnC Domain in DNS Lookup (rdesktopconnect .com) (malware.rules)
2050247 - ET MALWARE Khepri CnC Domain in DNS Lookup (xmindcn .cc) (malware.rules)
2050248 - ET HUNTING Suspicious Request for bd.log (hunting.rules)
2050249 - ET HUNTING Suspicious Request for fs.log (hunting.rules)
2050279 - ET MALWARE [ANY.RUN] ZharkBOT HTTP CnC Checkin (malware.rules)
2852666 - ETPRO POLICY Observed SSL Cert (anysrc .net) (policy.rules)
2853036 - ETPRO PHISHING Security Awareness Campaign Domain in DNS Lookup (phishing.rules)
2855905 - ETPRO MALWARE Win32/Apocalypse RAT CnC Checkin (checkcmd) (malware.rules)
2855906 - ETPRO MALWARE Win32/Apocalypse RAT CnC Checkin (checkcmd) - Acknowledgement (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/04/14 - v10298 Ruleset Updates	355	April 14, 2023
Ruleset Update Summary - 2025/01/13 - v10836 Ruleset Updates	102	January 13, 2025
Ruleset Update Summary - 2024/09/23 - v10701 Ruleset Updates	140	September 23, 2024
Ruleset Update Summary - 2025/03/04 - v10871 Ruleset Updates	80	March 4, 2025
Ruleset Update Summary - 2025/03/06 - v10873 Ruleset Updates	65	March 6, 2025

Ruleset Update Summary - 2025/04/17 - v10908

Summary:

Added rules:

Open:

Pro:

Removed rules:

Related topics